Skip to content

Volt v0.5.0

Latest
Latest

Choose a tag to compare

View all tags
@github-actions github-actions released this 11 Apr 23:52
v0.5.0
30469b4

What's New in v0.5.0

Security hardening

  • rename_path is now default-deny on overwrite. Drag-drop and rename now pass an explicit force: true only after the user confirms a "Replace?" prompt. Closes a silent-clobber path where a compromised frontend (or bug) could overwrite files without warning.
  • TOCTOU close on file ops. read_file, save_file, create_*, delete_path, swap files, and list_all_files now operate on the canonicalized PathBuf returned by validate_path instead of the raw frontend string, removing the symlink-swap window between validation and use.
  • Symlinks skipped in recursive walks. list_all_files and search_in_files now ignore symlinked entries so a malicious project can't ship ./link -> /etc (or ~/.ssh) and exfiltrate file contents via Find in Files.
  • Git command hardening. git status is now invoked with -c core.fsmonitor=false -c protocol.file.allow=never, preventing a malicious .git/config inside an opened folder from executing attacker binaries when the file tree auto-refreshes.
  • LSP and watcher commands now validate paths. lsp_did_open/change/save/close, watch_file, and watch_directory go through validate_path so the project-root sandbox applies to every IPC entry point, not just the file ops.
  • CSP tightened with base-uri 'self' and form-action 'none'.

Fixes

  • macOS GUI launches: Backspace/Enter/arrow keys now work in spawned shells. portable-pty's CommandBuilder starts with an empty env, so GUI-launched Volt was spawning zsh with no TERM and dropping it into dumb mode. Volt now forwards the parent process env to PTY children and forces TERM=xterm-256color as a fallback.
  • Case-only renames work on Windows and macOS (e.g. Foo.txtfoo.txt). Previously the canonical-path equality check rejected these as no-ops; now they're detected and applied via the raw paths so the new casing is preserved.
  • Markdown preview / editor scroll position is preserved when toggling. Switching modes now remembers each side's scroll independently and falls back to a proportional ratio map for the first toggle.

Removed

  • RAM/CPU resource monitor in the status bar is gone, along with system.rs, status-bar.js, and the sysinfo crate dependency. Keeps Volt closer to its lean-RAM target.

Internal

  • README touch-ups (zoom shortcut keys, settings entry point, split-pane close/drag-out wording, individually-removable recent folders).
  • Bumped to v0.5.0; Cargo.lock churn from dropping sysinfo.
Assets 11
Loading